b'   FEDERAL ELECTION COMMISSION \n\n\n    OFFICE OF INSPECTOR GENERAL \n\n\n\n\n\n              FINAL REPORT \n\n\nReview of Outstanding Audit Recommendations \n\n\n\n\n\n                JUNE 2012 \n\n\n\n\n\n          ASSIGNMENT No. OIG -12-04\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nJune 2012 Report\n\nReport Overview\n\nAs required by the Inspector General Act of 1978, as amended, the Office of Inspector General\n(OIG) is responsible for conducting audits of the Federal Election Commission\xe2\x80\x99s (FEC)\nprograms and operations. When the OIG conducts an audit, or supervises an Independent Public\nAccounting firm to perform an audit, the OIG also has the responsibility of tracking audit\nrecommendations and performing audit follow-up work to ensure adequate resolution of audit\nrecommendations. Audit follow-up, to include the timely implementation of audit\nrecommendations, is required by Office of Management and Budget Circular A-50, Audit\nFollowup, as revised, and FEC Directive 50: Audit Follow-up,\n\nAlthough management typically provides a semiannual status report to the Commission of their\nprogress concerning outstanding audit recommendations, the official status (open/closed) of\naudit recommendations is determined by the OIG once the OIG has verified that management\nhas adequately implemented the corrective actions to address the audit recommendations. This\ninformation is reported to the Commission and Congress in the OIG\xe2\x80\x99s Semiannual Reports to\nCongress.\n\nThis report provides the Commission with details regarding the:\n\n    \xe2\x80\xa2\t OIG\xe2\x80\x99s Audit Follow-up process, see page 2;\n    \xe2\x80\xa2\t Quarterly meetings with management to determine the status of outstanding audit\n       recommendations, see page 2;\n           a.\t Audit Follow-up Review of the FEC\xe2\x80\x99s Employee Transit Benefit Program, see\n               page 3\n           b.\t Audit of the Commission\xe2\x80\x99s Property Management Controls, see page 4\n           c.\t 2010 Follow-up Audit of Privacy and Data Protection, see page 5\n           d.\t 2010 Follow-up Audit of Procurement and Contract Management, see page 6\n    \xe2\x80\xa2\t OIG\xe2\x80\x99s concerns regarding management\xe2\x80\x99s progress and management of outstanding audit\n       recommendations, see page 6; and\n    \xe2\x80\xa2\t Other FEC reviews with outstanding audit recommendations, see page 8.\n\nFor this review period, the OIG reviewed four audits that had a total of 161 audit\nrecommendations that were outstanding for six months, or more. Collectively for three of the\nfour audits, the OIG closed 48 outstanding audit recommendations based on the OIG\xe2\x80\x99s review of\nmanagement\xe2\x80\x99s implementation of corrective action. However, for one audit (2010 Follow-up\nAudit of Procurement and Contract Management), the OIG\xe2\x80\x99s review determined that\nmanagement had not implemented any corrective action, and all audit recommendations remain\noutstanding. The OIG\xe2\x80\x99s follow-up reviews were completed prior to the most recent May 2012\ncorrective action plans (CAPs) submitted to the Commission by management. Therefore, any\nrecent corrective action completed by management will be reviewed by the OIG during the next\nreview period.\n\n\n\n\n                                               1\n\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nJune 2012 Report\n\nAudit Follow-up Process\n\nAt the conclusion of each audit, it is management\xe2\x80\x99s responsibility to develop a CAP. The CAP\nidentifies the plan management has developed to address the audit findings. The CAP should\ndetail the following:\n\n    1.   assignment of Audit Follow-up Official (AFO);\n    2.   audit finding(s);\n    3.   audit recommendation(s);\n    4.   corrective action to implement the audit recommendation(s);\n    5.   staff person with responsibility to implement each task; and\n    6.   expected completion dates.\n\nOnce management drafts the CAP, the OIG then reviews their CAP and provides comments to\nmanagement regarding the sufficiency of their planned corrective actions to address the audit\nfindings. Management reviews the OIG\xe2\x80\x99s comments, finalizes the CAP, and then provides the\nfinal CAP to the Commission with a courtesy copy to the OIG.\n\nFEC Directive 50 requires management to\n\n         \xe2\x80\x9c(3) Conduct regular meetings with the Inspector General throughout the year to follow-\n         up on outstanding findings and recommendations, and include reports of these meetings\n         in the written corrective action plan and semi-annual reports required to be presented to\n         the Commission;\xe2\x80\xa6\xe2\x80\x9d\n\nIn order to work effectively with FEC management in adhering to Directive 50, and to ensure\ncontinuous monitoring and adequate and timely audit resolution, the OIG has revamped our\nfollow-up process to include quarterly meetings with management to discuss the progress of\noutstanding audit recommendations, and reporting semiannually (June & December) to the\nCommission on recommendations that the OIG has closed (if any) based on follow-up reviews.\nThe quarterly meetings are also intended to assist the audit follow-up official in following\nprovisions 4 through 6 of Directive 50, which are listed below:\n\n         \xe2\x80\x9c(4) Respond in a timely manner to all audit reports;\n          (5) Engage in a good faith effort to resolve all disagreements; and\n          (6) Produce semi-annual reports that are submitted to the agency head.\xe2\x80\x9d\n\nQuarterly Meetings\n\nAt the start of the OIG\xe2\x80\x99s quarterly review process (December 2011), four OIG audits had a total\nof 1611 outstanding audit recommendations. Corrective actions had not been adequately\nimplemented since the release of each audit report. To discuss the current status and progress of\n\n1\n The number (161) of outstanding audit recommendations includes recommendations that management has\ndisagreed with the OIG. These recommendations remain open based on further improvement needed by\nmanagement and/or the OIG believes the recommendation is essential to fixing the audit issue and should be\nimplemented.\n\n                                                        2\n\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nJune 2012 Report\n\neach audit recommendation, the OIG held separate meetings with the applicable audit follow-up\nofficial and/or management staff for each audit. The OIG held the first meetings during the\nquarter ending December 2011. The OIG then conducted follow-up reviews in early 2012, and\nheld meetings with management to discuss the official status of audit recommendations based on\nour reviews. Out of the four audits reviewed, the OIG was able to close several outstanding\naudit recommendations in three of the four audits, Audit Follow-up Review of the FEC\xe2\x80\x99s\nEmployee Transit Benefit Program, Audit of the Commission\xe2\x80\x99s Property Management Controls,\nand 2010 Follow-up Audit of Privacy and Data Protection.\n\nAlthough several audit recommendations were closed for these three audits, further corrective\naction from management is still needed to implement the remaining outstanding audit\nrecommendations. In addition, no findings have been closed for the 2010 Follow-up Audit of\nProcurement and Contract Management where all audit recommendations remain open. See\ntable below for summary of progress made and outstanding recommendations as of May 2012.\n\n\n                     Outstanding Audit Recommendations Status Table\n\n\n     Title of OIG Audits           Total          Total\n                                Outstanding     Closed per   Total as of   Total Months\n                              Recommendations      OIG       May 2012      Outstanding\nAudit Follow-up Review of\nthe FEC\xe2\x80\x99s Employee Transit          51                26         25            29\nBenefit Program\nAudit of the Commission\xe2\x80\x99s\nProperty Management                 36                15         21            21\nControls\n2010 Follow-up Audit of             45                7          38             9\nPrivacy and Data Protection\n2010 Follow-up Audit of\nProcurement and Contract            29                0          29             6\nManagement\n\n\n\nA.      Audit Follow-up Review of the FEC\xe2\x80\x99s Employee Transit Benefit Program\n\nThe OIG met with the Transit Benefit program manager on December 7, 2011 to discuss the\nstatus of each audit recommendation. During the meeting, the program manager described how\nimplementation of system enhancements to the METRO\xe2\x80\x99s SmartBenefits software application\nhas improved the transit benefits process through automation and system preventative controls.\nOIG was also informed of the additional manual monitoring controls implemented by the FEC\nprogram management team. Following the meeting, the Transit Benefit program manager\nprovided documentation to support the work performed and controls implemented to address\nmany of the audit recommendations. The OIG reviewed, verified, and/or assessed the\ninformation provided to determine if the audit recommendations have been properly addressed\nand was able to close 26 of the 51 open recommendations. These recommendations were closed\n\n                                                 3\n\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nJune 2012 Report\n\neither because the OIG verified that adequate controls were implemented and operating\neffectively, or recommendations were no longer needed due to new automation and/or changes to\nthe program since our audit.\n\nThe OIG held another quarterly meeting with the Director of the Office of Human Resources\n(OHR) on March 29, 2012 to provide an update to management based on the OIG\xe2\x80\x99s follow-up\nprocedures performed to date. During this meeting, the OIG informed management that there are\n25 audit recommendations that we consider are still open. OIG notes that management considers\n12 of these 25 open recommendations as closed; the OIG will consider these findings closed\nonce the OIG determines the findings have been addressed and the program is operating\neffectively. The OIG requested additional supporting documentation that could be used to\nevidence that corrective actions for these 12 audit recommendations have been properly\nimplemented. Once the applicable information is reviewed and confirmed, these\nrecommendations can be closed.\n\nFor the remaining 13 outstanding recommendations, the OIG received a status update and\nrevised due dates from OHR management. The OIG notes that the majority of the 13\nrecommendations are tied to the issuance of a revised Commission Directive 54 on the transit\nbenefit program. Until the revised Directive 54 is finalized and approved, and standard operating\nprocedures are documented and communicated to employees, these recommendations cannot be\nclosed.\n\nB.      Audit of the Commission\xe2\x80\x99s Property Management Controls\n\nThe Audit of the Commission\xe2\x80\x99s Property Management Controls (Property Audit) audit report was\nreleased in March 2010. Since release of the audit report, management has not identified an\nAudit Follow-up Official for this audit; therefore, the OIG has worked with the Administrative\nServices Division (ASD) Managers2 and the Deputy Chief Information Officer of Operations\n(Deputy CIO) to receive any updates regarding the implementation of audit recommendations.\nThe responsibility of implementing the audit recommendations are shared by the Administrative\nServices Division and the Office of Information Technology (OIT).\n\nThe Property Audit report identified 36 audit recommendations to improve the controls over\nFEC\xe2\x80\x99s property. ASD is responsible for 10 of the 36 audit recommendations that relate to the\nFEC\xe2\x80\x99s management controls over government vehicles and charge (fuel) cards. The OIG held\nthe first quarterly meeting with the ASD manager for the Property Audit on December 13, 2011.\nThe ASD manager discussed the status of the 10 audit recommendations and provided\ndocumentation and supporting information for the corrective actions that had been completed.\nThe OIG reviewed the information provided by the ASD manager and then conducted follow-up\nreviews of tasks identified as completed by management to ensure adequate implementation.\n\nThe OIG held the next quarterly meeting in March 2012 to provide the ASD manager with the\nofficial status (open/closed) of the outstanding audit recommendations based on the OIG\xe2\x80\x99s\n\n2\n The OIG has worked with one acting ASD manager and two permanent ASD managers since the completion of the\nProperty audit due to frequent turnover in this position.\n\n                                                    4\n\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nJune 2012 Report\n\nreview of supporting documentation and follow-up work. The OIG was able to close four of the\nten ASD audit recommendations based on sufficient implementation of the audit\nrecommendations by management. It should be noted that the current ASD manager is\nconsistently working with her staff and outside parties to implement the remaining six audit\nrecommendations, and the OIG has verified that much progress has been made in getting the\ncorrective actions completed and fully implemented.\n\nThe Office of Information Technology is responsible for implementing 26 of the 36 outstanding\naudit recommendations that relate to the FEC\xe2\x80\x99s management controls over mobile devices\n(Blackberry phones). The OIG also met with the Deputy CIO on December 13, 2011 to discuss\nthe current status of the 26 audit recommendations. During and after the meeting, the Deputy\nCIO provided a revised policy along with other supporting documents to support corrective\nactions that have been completed. The OIG reviewed the information provided; conducted\ninterviews with IT staff; and requested further documentation to determine if management had\nsufficiently implemented the audit recommendations.\n\nThe OIG\xe2\x80\x99s review identified seven audit recommendations that could be closed based on the\nFEC\xe2\x80\x99s decision to transition to a bundled (voice and data) service plan with AT&T. These seven\naudit recommendations were no longer applicable based on the change of the service plan. In\naddition, four audit recommendations were closed based on updates made to the OIT\xe2\x80\x99s Policy\n58-4.4: Personal Communication Devices Security Policy, and one recommendation was closed\nrelated to a process change. However, for the remaining 14 audit recommendations, which all\nrequire process improvements, management has not made any significant progress in addressing\nthe audit recommendations. In total, the Property Audit still has 20 outstanding audit\nrecommendations outstanding, six in the ASD area, and 14 in OIT.\n\nC.      2010 Follow-up Audit of Privacy and Data Protection\n\nThe OIG met with the Privacy Team regarding the 2010 Follow-up Audit of Privacy and Data\nProtection on December 12, 2011. The Privacy Team and the OIG went through the CAP and\ndiscussed the status of each audit recommendation. Following the meeting, the Privacy Team\nprovided supporting documentation for 16 of the 453 audit recommendations that management\nconsidered completed. The OIG reviewed all information that was provided and was able to\nclose six audit recommendations due to sufficient implementation. The corrective actions and/or\ndocumentation management provided to support the remaining ten audit recommendations were\nnot sufficient or adequately implemented to effectively address the audit issue.\n\nDue to conflicting schedules and office workload in both offices, the Privacy Team and the OIG\nwere unable to meet during the next quarterly period (ending March 2012). Therefore, a meeting\nwas held on May 17, 2012 to discuss the OIG\xe2\x80\x99s review. From this meeting, further supporting\ndocumentation and information was provided by the Privacy Team to close one additional\nfinding. In total, the OIG was able to close seven findings, leaving 38 still outstanding.\n\n\n3\n Out of the 45 recommendations, there are 8 recommendations management has disagreed with the OIG, and does\nnot plan to implement any corrective action.\n\n                                                     5\n\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nJune 2012 Report\n\nD.      2010 Follow-up Audit of Procurement and Contract Management\n\nThe OIG held quarterly meetings with the Chief Financial Officer (CFO) on December 13, 2011\nand March 28, 2012 to determine the status of the outstanding audit recommendations for the\n2010 Follow-up Audit of Procurement and Contract Management. During the December 2011\nmeeting, the CFO stated that all 294 recommendations were open and would not be completed\nuntil Directive 66 (planned procurement Directive/policy) was finalized and approved by the\nCommission. When the OIG met with the CFO in March 2012, it was determined that minimal\nprogress had been made and all 29 audit recommendations are still outstanding. The CFO\ncontinued to report that corrective action on outstanding audit recommendations had been\ndelayed pending the approval of the new procurement directive, as well as a vacancy in the\nProcurement Director position and other staffing gaps. The OIG communicated to the CFO that\nwe did not agree that progress on all 29 recommendations should be contingent on the\nfinalization and approval of Directive 66 or hiring a Procurement Director. The OIG stressed the\nimportance of implementing adequate internal controls and that management should make every\neffort to complete all recommendations by the revised due dates.\n\nOffice of Inspector General Concerns\n\n1.\t Management\xe2\x80\x99s reporting process for providing the Commission with semiannual status\n    reports needs to be improved. Based on review of the semiannual status reports sent to the\n    Commission, we identified the following:\n\n            \xc2\x83\t May 2012 status report for the Audit of the Commission\xe2\x80\x99s Property Management\n               Controls was not the most recent CAP to reflect the current status of audit\n               recommendations;\n            \xc2\x83\t CAPs submitted to the Commission for May 2012 did not contain all relevant\n               information. The CAPs did not include OIG comments, the status (open/closed)\n               of each recommendation and/or estimated completion dates;\n            \xc2\x83 Management did not consistently revise the corrective action due dates in the\n               CAPs when the original completion dates are not achieved;\n            \xc2\x83 In many instances, completion dates for audit implementation are overdue by\n               several months without any progress being made;\n            \xc2\x83 Historically, CAPs are not submitted in a timely fashion or not at all5; and\n            \xc2\x83 CAPs are not always in a readable format. CAPs are scanned and/or converted to\n               a PDF format and the font is not legible. For example, the Audit of the\n               Commission\xe2\x80\x99s Property Management Controls CAP sent to the Commission in\n               October 2010, May 2011, and the most recent May 2012.\n\n     Suggestion: Management should improve the timeliness and quality of the CAPs submitted\n     to the Commission.\n\n\n4\n  Out of the 29 recommendations, there is one recommendation management has disagreed with the OIG, and does\n\nnot plan to implement any corrective action. \n\n5\n  The OIG notes that FEC management submitted all May 2012 CAPs to the Commission on time, and therefore the\n\nOIG is hopeful that improvement on timeliness is being addressed by management. \n\n\n                                                     6\n\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nJune 2012 Report\n\n2.\t There is no standard format used for reporting the status of the CAPs to the Commission or\n    the OIG.\n\n   Suggestion: Management should adopt a standard CAP template to be used for all CAPs. A\n   standard template will ensure consistency of the information. The OIG has provided\n   management a standard template and the OIG plans to work with management to save this\n   template in a central location for all follow-up officials.\n\n3.\t Management has made minimal progress on the corrective action plan for the 2010 Follow-\n    up Audit of Procurement and Contract Management. The OIG is concerned by the delay in\n    implementing adequate internal controls in procurement processes, which is an area that has\n    a high inherent risk of fraud. The OIG notes that some of the audit recommendations are\n    directly related to bringing the FEC in compliance with the FAR (Federal Acquisition\n    Regulations). The longer it takes to address these recommendations, the greater the exposure\n    the FEC has to being cited for violating government mandated regulations over the\n    procurement function, among other risks. According to the Office of the Chief Financial\n    Officer, delays in implementing recommendations are attributed to a lack of continuity in the\n    Contracting Officer position and the revision of a Commission Directive on procurement\n    pending Commission approval. While we agree these are relevant issues, the OIG believes\n    some progress on implementing recommendations could and should have been made since\n    the issuance of the OIG\xe2\x80\x99s audit report.\n\n   Suggestion: A new Contracting Officer has been hired by the FEC and is expected to start\n   on Monday, June 18, 2012. Also, in the event the revised Commission Directive on\n   Procurement is not finalized by July 31, 2012, the OIG suggests the Office of the Chief\n   Financial Officer should move forward with implementation of corrective action on the\n   OIG\xe2\x80\x99s recommendations to ensure compliance with contracting regulations and internal\n   control requirements. Any revisions to operating procedures as a result of the new\n   Commission Directive can be made, as appropriate.\n\n4.\t The progress that has been made by Office of Information Technology to adequately\n    implement audit recommendations for the Audit of the Commission\xe2\x80\x99s Property Management\n    Controls is minimal. Management has expressed that additional progress to sufficiently\n    address outstanding audit findings is not likely.\n\n   Suggestion: The CIO should review the latest CAP, discuss progress with his OIT team, and\n   meet with the OIG to discuss a plan forward.\n\n5.\t Management has not established an audit follow-up official for the Audit of the\n    Commission\xe2\x80\x99s Property Management Controls. Also ASD and OIT do not maintain one\n    comprehensive CAP with management\xe2\x80\x99s updated activity.\n\n   Suggestion: Management should appoint an audit follow-up official for all audits as\n   required by Commission Directive 50 and OMB Circular A-50. Specifically, an audit follow-\n   up official should be appointed for the Audit of the Commission\xe2\x80\x99s Property Management\n   Controls. In addition, for all future audits, an audit follow-up official should be identified at\n\n                                                 7\n\n\x0cOffice of Inspector General\xe2\x80\x99s Review of Outstanding Audit Recommendations\nJune 2012 Report\n\n   the time the initial CAP is finalized by management and submitted to the Commission and\n   OIG, i.e. within 30 days from the issuance of the final audit report.\n\nOther Matters\n\nIn addition to the aforementioned audits, there are other FEC audits and reviews that have\noutstanding recommendations:\n\n   1. 2011 Inspection of the FEC\xe2\x80\x99s Kastle Key Program;\n   2. FEC\xe2\x80\x99s FY 2011 Financial Statement Audit; and\n   3. FEC\xe2\x80\x99s 2009 Human Capital Management Evaluation.\n\nThe objective of the inspection was to identify management processes or controls concerning the\nFEC\xe2\x80\x99s Kastle Key system that can be improved, and provide management with recommendations\nto help strengthen this FEC function. The OIG released the Kastle Key inspection report in\nDecember 2011, which proposed 15 recommendations to management to assist in strengthening\nthe controls over the Kastle Key program. This inspection was not included in this review as the\nrecommendations have not been outstanding for six months, which is the time frame for\ntriggering an OIG follow-up review. Management\xe2\x80\x99s CAP for the Kastle Key inspection is\nscheduled for review in the upcoming quarterly review period. Any recommendations that have\nbeen adequately implemented based on the OIG\xe2\x80\x99s review will be closed and reported during the\nOIG\xe2\x80\x99s next semiannual reporting period, December 2012.\n\nThe FEC\xe2\x80\x99s FY 2011Financial Statement Audit contained 20 outstanding audit recommendations.\nIn accordance with LSC\xe2\x80\x99s contract with the OIG, LSC is responsible for conducting follow-up\nwork each audit year on the prior year\xe2\x80\x99s audit recommendations, and reporting on management\xe2\x80\x99s\nprogress. LSC began the current year\xe2\x80\x99s (FY 2012) financial statement audit in May 2012. LSC\nwill be reviewing the work completed by management to address the outstanding audit\nrecommendations from FY 2011. The results of LSC\xe2\x80\x99s follow-up work will be reported in the\nFEC\xe2\x80\x99s FY 2012 Financial Statement Audit report.\n\nThe FEC\xe2\x80\x99s Human Capital Management Evaluation was conducted by the Office of Personnel\nManagement (OPM) in 2009. OPM\xe2\x80\x99s evaluation resulted in 35 required corrective actions that\nshould be implemented by OHR, and 39 recommended corrective actions to assist in improving\nOHR\xe2\x80\x99s business processes. According to management, via their May 2012 semiannual report of\ncorrective actions submitted to the Commission, management has fully implemented 17 of the 35\nrequired corrective actions, and 19 of the 39 recommended actions since 2009. Although this\nevaluation was conducted by an external entity that was not contracted by the OIG, the OIG\nreviews the progress that management is making to implement the OPM recommendations and\nrequesting the CAP updates that are sent to the Commission. However, the OIG does not review\nOHR\xe2\x80\x99s implementation of OPM\xe2\x80\x99s evaluation recommendations for sufficiency, and does not\nconfirm that the recommendations identified as closed by management have been adequately\nimplemented. The OIG\xe2\x80\x99s review of OHR\xe2\x80\x99s progress in implementing OPM\xe2\x80\x99s evaluation\nrecommendations is used as part of the OIG\xe2\x80\x99s risk assessment for our annual work plan.\n\n\n\n                                                8\n\n\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\n    Fraud Hotline\n    202-694-1015\n\n\n\n\n      or toll free at 1-800-424-9530 (press 0; then dial 1015)\n      Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n      Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\n\n\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to\nfraud, waste, abuse, and mismanagement of agency programs and operations. Individuals\nwho contact the OIG can remain anonymous. However, persons who report allegations are encouraged\nto provide their contact information in the event additional questions arise as the OIG evaluates the\nallegations. Allegations with limited details or merit may be held in abeyance until further specific details\nare reported or obtained. Pursuant to the Inspector General Act of 1978, as amended, the Inspector\nGeneral will not disclose the identity of an individual who provides information without the consent of that\nindividual, unless the Inspector General determines that such disclosure is unavoidable during the course\nof an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                            Together we can make a difference.\n\x0c'